Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7326

Group resource (with auth_membership) fails if local Windows group contains not resolvable Domain accounts

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PUP 4.9.3
    • Fix Version/s: PUP 4.10.11, PUP 5.3.6, PUP 5.5.0
    • Component/s: Windows
    • Labels:
    • Environment:

      Tested with multiple Windows versions (i.e. Server 2012R2) and Puppet Apply 4.9.3

    • CS Priority:
      Normal
    • CS Frequency:
      2 - 5-25% of Customers
    • CS Severity:
      3 - Serious
    • CS Business Value:
      5 - $$$$$$
    • CS Impact:
      Group is one of the core resource types and should work as expected on all supported platform including windows.
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      Previously when Windows local groups contained members that were at one point valid domain members but have since been deleted (creating unresolvable SIDs), Puppet would produce warnings or errors when managing such groups. Puppet can now safely handle unresolvable SIDs inside of groups.
      Show
      Previously when Windows local groups contained members that were at one point valid domain members but have since been deleted (creating unresolvable SIDs), Puppet would produce warnings or errors when managing such groups. Puppet can now safely handle unresolvable SIDs inside of groups.
    • QA Risk Assessment:
      Needs Assessment

      Description

      After leaving a Domain Windows systems may still contain not resolvable domain accounts inside local groups, i.e. in Administrators group:

      When trying to manage this group using auth_membership => true (to ensure all not resolvable domain user accounts are tidied to only have the local user Administrator inside the local Administrators group), Puppet will fail:

      group {'Administrators': 
          members => ['Administrator'], 
          auth_membership => true 
      }
      

      Tested with the following Puppet Apply command:

      puppet apply -e "group {'Administrators': members => ['Administrator'], auth_membership => true }
      

      Error: Could not resolve name: S-1-5-21-776561741-1409082233-725345543-15784
      Error: /Stage[main]/Main/Group[Administrators]/members: change from TEST-WIN2012\Administrator,S-1-5-21-776561741-1409082233-725345543-15784 to TEST-WIN2012\Administrator failed: Could not resolve name: S-1-5-21-776561741-1409082233-725345543-15784
      

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  ethan Ethan Brown
                  Reporter:
                  PaulW Paul W
                • Votes:
                  3 Vote for this issue
                  Watchers:
                  16 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: